Home » Identity & Access » Identity Theft

The No-Fly List and Airport Security's Achilles Heel

A print-your-own boarding pass could be combined with credit card fraud to subvert the no-fly list. Are you concerned?

Print your own boarding pass can be combined with credit card fraud to subvert the "no-fly list". Senator Charles Schumer of New York laid out this scenario in a letter dated February 11, 2005, to TSA officials.

1. Joe Terrorist (whose name is on the no-fly list) buys a ticket online in the name of Joe Smith using a stolen credit card. Joe Smith is not listed on the terrorist watch list.

2. Joe Terrorist then prints his "Joe Smith" boarding pass at home, and then electronically alters it to create a second almost identical boarding pass under the name Joe Terrorist, his name.

3. Joe Terrorist then goes to the airport and goes through security with his real ID and the FAKE boarding pass. The name and face match his real driver’s license. The airport employee matches the name and face to the real ID.

4. The TSA guard at the magnetometer checks to make sure that the boarding pass looks legitimate as Joe Terrorist goes through. He or she does not scan it into the system, so there is still no hint that the name on the fake boarding pass is not the same as the name on the reservation.

5. Joe Terrorist then goes through the gate into his plane using the real Joe Smith boarding pass for the gate’s computer scanner. He is not asked for ID again to match the name on the scanner, so the fact that he does not have an ID with that name does not matter. (Since Joe Smith doesn’t actually exist it does not coincide with a name on the terrorist watch list) Joe Terrorist boards the plane, no questions asked.

So why has nothing been done to close this loophole? The root cause is probably harder to determine than the solution. It could be an aversion by both airlines and government to annoy travelers further with longer queues, especially since several airlines are experiencing financial difficulties. Perhaps neither the airlines nor the TSA want to make the hole more obvious (if that is possible) by acknowledging it.

Nico Mendelez, a TSA spokesperson, downplayed the threat of counterfeit boarding passes, saying that security doesn’t begin and end at the security checkpoints. "On the back side of security checkpoints, we have federal air marshals, hardened doors and other tools in place to reduce threats inside the aircraft."

This may be true, but doesn’t that mean the whole process needs to be re-evaluated? Perhaps the solution is to use risk management to assess the real risks and put appropriate controls in place. Rather than adding another checkpoint to scan boarding passes and access the airline records system (and the no-fly list), let’s look at the entire process. Rather than worrying about removing computers from bags and taking off our shoes and jackets prior to x-ray, let’s concentrate on where controls are needed. Because without proper controls, airline security is a disaster waiting to happen.